API token scopes

May 9, 2023 · Tobias Bieniek on behalf of the crates.io team

Roughly three years ago Pietro Albini opened an RFC called "crates.io token scopes". This RFC described an improvement to the existing API tokens, that everyone is using to publish crates to the crates.io package registry. The proposal was to make it possible to restrict API tokens to 1) certain operations and 2) certain crates.

Unfortunately, the crates.io team members were quite busy at the time, so it took a while for this proposal to get accepted. To be precise, during the EuroRust conference in October 2022 we talked about the RFC again and after a few modifications the RFC was moved into FCP status and then finally merged.

The implementation was started soon after, but was paused again due to other priorities at the time. Fortunately, I was lucky enough to get one of the software engineering jobs at the Rust Foundation, so in early April the development continued, and I am happy to report:

API token scopes on crates.io are now in a public beta testing period!

For details on what these token scopes are and how they are supposed to work, I recommend reading through the RFC. If you want to try them out, you can go to https://crates.io/settings/tokens/new and create a new API token scoped to the operations and crates you want:

Screenshot of the "New API Token" page

Please note that this page is currently not reachable from the regular user interface, you have to access it via URL directly while we test it out.

Finally, if you notice any issues, or if you have any questions don't hesitate to find us on Zulip or open an issue on GitHub.